NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Buddel

    Only as information, that 6 custom rules could be shortened as 1 rule using regex:

    Code:
    [REGEX:%PROCESSCMDLINE%: \.(doc|docx|docm|xls|xlsx|xlsm|xlam)"$] [%RULENAME%: Block opening of DOC/XLS files]
    
    @paulderdash

    Will write it in the todo list, thanks for the suggestion.

    @Roberteyewhy

    On the order page, on the right sidebar click on "Enter Promotional Code" link, then enter the coupon code and click "Apply" button.


    coupon-code.png
     
  2. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,841
    Location:
    KEEP USA GREAT
    did you get my mail Andreas
     
  3. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    Version 1.5.1 fixed my problem with Roboform and MS Edge. Thanks!
     
  4. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Thanks. Stupid me!!!

    Robert
     
  5. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    This is an even easier rule. Thanks for that, Andreas.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Enjoy using OSA, right balance of simplicity and restriction for me. Two licenses purchased.

    Andreas, hope you get the business and enterprise sales to make this venture financially viable, as you know it won't come from personal alone; SRP is probably too 'geeky' even though it could just be used on defaults.
     
  7. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Is it possible to use OSA to restrict access to certain directories from everything except a certain application? It would really help to restrict access to my documents dir to Office and my system i mages dir to IFW, but I am unsure of how to create a custom rule to accomplish this.

    Any ideas?
     
  8. Richard981

    Richard981 Suspended Member

    Joined:
    Aug 21, 2020
    Posts:
    14
    Location:
    Canada
    I cant even purchase the software i am blocked by this ****** fastspring company both paypal and cc

    Fastspring payment doesnt like tutanota email apparently - i apologize for bringing this unrelated discussion here . With a non tutanota email i had success
     
    Last edited: Oct 21, 2020
  9. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    My first OSArmor event logged:

    Date/Time: 21/10/2020 11:31:45 PM
    Process: [41256]C:\Users\ReHIPSUser2\69.0.3686.95\notification_helper.exe
    Process MD5 Hash: E81882DCCB8DEEC87A25164596CED2CD
    Parent: [676]C:\Windows\System32\svchost.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: "C:\Users\ReHIPSUser2\69.0.3686.95\notification_helper.exe" -Embedding
    Signer: Opera Software AS
    Parent Signer: Microsoft Windows Publisher
    User/Domain: Owner/DESKTOP-XXXXXXX
    System File: False
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: System

    I decided to exclude, since it related to an old version of Opera, i.e. 69.0.3686.95:

    [%PROCESS%: C:\Users\ReHIPSUser2\69.0.3686.95\notification_helper.exe] [%PROCESSCMDLINE%: "C:\Users\ReHIPSUser2\69.0.3686.95\notification_helper.exe" -Embedding] [%FILESIGNER%: Opera Software AS] [%PARENTPROCESS%: C:\Windows\System32\svchost.exe] [%PARENTSIGNER%: Microsoft Windows Publisher]

    I really don't understand why this warning by OSArmor occurred. I guess, just a blip. :confused:
     
  10. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I refer to the following post, made October 15, by @wat0114

    https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-123#post-2956802

    ...and a reply by @novirusthanks

    https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-123#post-2957104

    ...."Thanks for your feedback, always appreciated!

    We may simplificate the rules creation in future versions via dedicated GUI, however I think once a user understands rules syntax, it would become easier.

    We use vars like this [%VAR: matching field] because this way we can better separate each rule and no need to make them in order.

    Plan is to also make a detailed tutorial and videos about custom rules."

    I think I will never understand "rules syntax", because I will never be an advanced user.
     
  11. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    So OSA is no longer free? I can't afford to buy it, so I will have to uninstall it:(
     
  12. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I've still got the previous version installed on my machines. Next time I clean install Windows I will re-evaluate my security setup, but for now OSA can stay.
     
  13. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
  14. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    109
    A tip for all XP users:

    Once OSA is installed, go to the Add/Remove Programs tool and uninstall the NovirusThanks Licence Manager 1.0.
    As OSA is free on XP systems, you don't need it and the licence manager have an issue on XP (starting delay of 180 secondes for the service in the events viewer)
    Perhaps because I was offline, I don't know ?

    @novirusthanks

    A suggestion for the setup, don't install by default the licence manager on XP systems. :rolleyes:
     
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @paulderdash

    Thanks for the feedback, glad you're enjoying OSA =)

    @Tarnak

    The reported FP will be fixed on the next version.

    @Richard981

    Thanks for the purchase and for sharing what has worked.

    @n8chavez

    Restrict access to folders and files can't be achieved with OSA.

    @genieautravail

    Yes, will update the installer on the next version.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    @novirusthanks @n8chavez may seem reaching for straws with this current version, but does seem a very imteresting idea all in all if possible. Sometime later would that as a new option be something which your current code might could integrate in new OSA to make possible at some point? Or is it off the table due to potential interruption of some its already solid functionality.
    Cheers EASTER
     
  17. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    I don't get it. OSA already has the ability to "Block processes located in suspicious folders", `"Block processes vexecuted from a ram disk" among other rules which clearly indicate that the ability to do what I'm asking for is there, at least the building block for what I asked. This option would be invaluable in protecting against ransomeware. I already bought OSA too. It's a shame.
     
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @n8chavez @EASTER

    Restrict access to folders and files, for example restrict/change read or write permissions to a folder, cannot be directly done with OSA. However, you can block the process, for example you can block all processes in specific locations, so if a process cannot run then it cannot access/write any folder or file. Regarding the rules "Block processes located in suspicious folders" and "Block processes executed from a ram disk" among others, they are used to restrict processes execution from specific locations.

    OSA is an advanced process behavior monitoring software.

    If you want to control what process can write or read data to/from a folder you need a folder/file permission control software, an example is this:
    https://www.novirusthanks.org/products/file-system-protector/

    Regarding ransomware protection, OSA is specifically built to block ransomware delivery methods and thus prevent the ransowmare infection, example:

    Ransomware are delivered via maldocs (.doc, .xls, etc), scripts (.js, .vbs, etc), emotet (.doc), and so on.

    By blocking the payload of the delivery methods, the ransomware will not be executed in the system (the infection chain will be stopped at begin) and the system will be safe.

    Prevention is the key feature of OSA.
     
    Last edited: Oct 23, 2020
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
  20. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    429
    Location:
    Australia
    Hi novirusthanks.
    I'm a past and current user of you 'soft, in which I have a lot of trust and satisfaction.

    Not yet a user of version 1.5 (will be installing soon on some new Win 10 boxes) may I ask about the value / or otherwise of the following potential mitigations (for inclusion in OSArmor in some way):-

    (1) Rename vssadmin.exe. There is an old (2015) article by Lawrence Abrams: Why Everyone Should disable VSSAdmin.exe Now!
    [reference: https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadminexe-now/


    The article points out that access to this by hackers / ransomware will enable them to delete all shadow copies (eg, system restore) and that, in a home environment, this utility is not really needed as it is an administration tool for enterprise environments.

    (2) Change the "ownership" of your drives (to yourself):
    Reference:
    JohnSovereign
    posting in Bleeping Computer, Oct 2020.
    Ransomware help & Tech Support.

    https://www.bleepingcomputer.com/forums/t/733846/ransomware-recovery-solution-99-guaranteed/

    Any advice is appreciated.
    cheers.
     
  21. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    917
    For now, I am to stick with OSArmor 1.4.3

    Alongside AppCheck Free or NeuShield Data Sentinel Free to complement the setup - any suggestions?
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Feandur

    That's awesome! I am glad you like OSArmor.

    About your two questions:

    (1) OSArmor already covers blocking of vssadmin.exe (and other system processes) suspicious behaviors known to be exploited to remove shadow copies of files. Additionally if you want you can also completely block execution of vssadmin.exe with this rule:

    osarmor.png

    (2) Changing the ownership of an external drive may be of help in some cases, however a ransomware once executed in the system may always find a way to gain permissions to access any drive. In my personal opinion is always better to completely prevent a ransomware infection by, for example, blocking all delivery methods and hardening the system.

    Here we use OSArmor for real-time protection and custom process block rules, along with SysHardener to harden the system by applying smart policies to increase the defense and block more system "holes" that can be exploited to deliver a ransomware.

    You can find more details here: https://www.novirusthanks.org/products/syshardener/

    @korben

    I may suggest you to try SysHardener:
    https://www.novirusthanks.org/products/syshardener/

    It can increase the level of defense by applying smart policies in the system.

    Default settings are fine and should not create issues with the OS or with other programs.

    You can always revert back the changes if needed.
     
  23. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
  24. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    917
    That sounds reasonable, thanks@novirusthanks!
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Just click "Add to Exclusions".
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.